From: Jeff King <peff@peff.net>
To: Jann Horn <jannh@google.com>
Cc: git@vger.kernel.org, gitster@pobox.com,
"Nguyễn Thái Ngọc Duy" <pclouds@gmail.com>,
"Johannes Schindelin" <johannes.schindelin@gmx.de>,
"Nicolas Pitre" <nico@fluxnic.net>
Subject: [PATCH 4/5] patch-delta: consistently report corruption
Date: Thu, 30 Aug 2018 03:10:26 -0400 [thread overview]
Message-ID: <20180830071026.GD15420@sigill.intra.peff.net> (raw)
In-Reply-To: <20180830070548.GA15081@sigill.intra.peff.net>
From: Jann Horn <jannh@google.com>
When applying a delta, if we see an opcode that cannot be
fulfilled (e.g., asking to write more bytes than the
destination has left), we break out of our parsing loop but
don't signal an explicit error. We rely on the sanity check
after the loop to see if we have leftover delta bytes or
didn't fill our result buffer.
This can silently ignore corruption when the delta buffer
ends with a bogus command and the destination buffer is
already full. Instead, let's jump into the error handler
directly when we see this case.
Note that the tests also cover the "bad opcode" case, which
already handles this correctly.
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Jeff King <peff@peff.net>
---
patch-delta.c | 5 +++--
t/t5303-pack-corruption-resilience.sh | 30 +++++++++++++++++++++++++++
2 files changed, 33 insertions(+), 2 deletions(-)
diff --git a/patch-delta.c b/patch-delta.c
index b937afd2c9..283fb4b759 100644
--- a/patch-delta.c
+++ b/patch-delta.c
@@ -51,13 +51,13 @@ void *patch_delta(const void *src_buf, unsigned long src_size,
if (unsigned_add_overflows(cp_off, cp_size) ||
cp_off + cp_size > src_size ||
cp_size > size)
- break;
+ goto bad_length;
memcpy(out, (char *) src_buf + cp_off, cp_size);
out += cp_size;
size -= cp_size;
} else if (cmd) {
if (cmd > size || cmd > top - data)
- break;
+ goto bad_length;
memcpy(out, data, cmd);
out += cmd;
data += cmd;
@@ -75,6 +75,7 @@ void *patch_delta(const void *src_buf, unsigned long src_size,
/* sanity check */
if (data != top || size != 0) {
+ bad_length:
error("delta replay has gone wild");
bad:
free(dst_buf);
diff --git a/t/t5303-pack-corruption-resilience.sh b/t/t5303-pack-corruption-resilience.sh
index 7114c31ade..41dc947d3f 100755
--- a/t/t5303-pack-corruption-resilience.sh
+++ b/t/t5303-pack-corruption-resilience.sh
@@ -370,4 +370,34 @@ test_expect_failure \
echo base >base &&
test_must_fail test-tool delta -p base truncated_copy_delta /dev/null'
+# \0 - empty base
+# \1 - one byte in result
+# \1 - one literal byte (X)
+# \1 - trailing garbage command
+test_expect_success \
+ 'apply delta with trailing garbage literal' \
+ 'printf "\0\1\1X\1" > tail_garbage_literal &&
+ test_must_fail test-tool delta -p /dev/null tail_garbage_literal /dev/null'
+
+# \5 - five bytes in base
+# \1 - one byte in result
+# \1 - one literal byte (X)
+# \221 - copy, one byte offset, one byte size
+# \0 - copy from offset 0
+# \1 - copy 1 byte
+test_expect_success \
+ 'apply delta with trailing garbage copy' \
+ 'printf "\5\1\1X\221\0\1" > tail_garbage_copy &&
+ echo base >base &&
+ test_must_fail test-tool delta -p /dev/null tail_garbage_copy /dev/null'
+
+# \0 - empty base
+# \1 - one byte in result
+# \1 - one literal byte (X)
+# \0 - bogus opcode
+test_expect_success \
+ 'apply delta with trailing garbage opcode' \
+ 'printf "\0\1\1X\0" > tail_garbage_opcode &&
+ test_must_fail test-tool delta -p /dev/null tail_garbage_opcode /dev/null'
+
test_done
--
2.19.0.rc1.539.g3876d0831e
next prev parent reply other threads:[~2018-08-30 7:10 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-29 20:58 [PATCH 1/3] patch-delta: fix oob read Jann Horn
2018-08-29 20:58 ` [PATCH 2/3] t/helper/test-delta: segfault on OOB access Jann Horn
2018-08-29 21:34 ` Jeff King
2018-08-29 21:40 ` Jann Horn
2018-08-29 21:46 ` Jeff King
2018-08-29 21:48 ` Jeff King
2018-08-29 20:58 ` [PATCH 3/3] t5303: add tests for corrupted deltas Jann Horn
2018-08-29 22:03 ` Jeff King
2018-08-29 22:30 ` Jeff King
2018-08-29 21:20 ` [PATCH 1/3] patch-delta: fix oob read Jeff King
2018-08-29 22:18 ` Jeff King
2018-08-30 7:05 ` [PATCH 0/5] handle corruption in patch-delta Jeff King
2018-08-30 7:07 ` [PATCH 1/5] test-delta: read input into a heap buffer Jeff King
2018-08-30 7:09 ` [PATCH 2/5] t5303: test some corrupt deltas Jeff King
2018-08-30 17:38 ` Junio C Hamano
2018-08-30 18:42 ` Jeff King
2018-08-30 18:44 ` Jeff King
2018-08-30 18:50 ` Junio C Hamano
2018-08-30 19:13 ` Jeff King
2018-08-31 9:58 ` Johannes Schindelin
2018-08-31 15:33 ` Junio C Hamano
2018-08-31 19:47 ` Jeff King
2018-08-31 21:39 ` Junio C Hamano
2018-08-31 21:14 ` Johannes Schindelin
2018-08-31 21:41 ` Jeff King
2018-08-31 21:55 ` Junio C Hamano
2018-08-30 7:09 ` [PATCH 3/5] patch-delta: fix oob read Jeff King
2018-08-30 7:10 ` Jeff King [this message]
2018-08-30 7:12 ` [PATCH 5/5] patch-delta: handle truncated copy parameters Jeff King
2018-08-30 13:25 ` [PATCH 0/5] handle corruption in patch-delta Jann Horn
2018-08-30 15:23 ` Nicolas Pitre
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180830071026.GD15420@sigill.intra.peff.net \
--to=peff@peff.net \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=jannh@google.com \
--cc=johannes.schindelin@gmx.de \
--cc=nico@fluxnic.net \
--cc=pclouds@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).